Kazaa, eDonkey brace for attack

File-sharing Web sites Kazaa and eDonkey are steeling themselves for a distributed denial-of-service attack expected Wednesday from a clutch of new variants of the NetSky worm.

NetSky.Q, which first appeared last week, is designed to attack various Web sites that distribute either file-sharing clients or hacking and cracking tools. Kazaa and eDonkey are its best-known targets, and the attack is scheduled to last for six days. However, they will get only a short break. NetSky.T, which was discovered Tuesday, is set to launch a new distributed denial-of-service (DDoS) attack on April 14. This attack is scheduled to last for 10 days.

Mikko Hypponen, director of antivirus research at F-Secure, said he expects the targets to fare badly, because they are relatively small companies that will not have the necessary infrastructure to survive a large DDoS attack. "NetSky is widespread, so I wouldn't be surprised if the sites collapse under the load," he said.

Because these versions of NetSky are engineered to attack only Kazaa and eDonkey's main Web sites, their actual file-sharing networks will not be affected. This means that people should be able to continue swapping files without disruption.

Marco Righetti, virus coordinator at Trend Labs, the research arm of antivirus firm Trend Micro, said the NetSky.Q variant may cause the targeted sites some problems but that the NetSky.T is not spreading very fast and does not look like a serious issue at the moment.

However, NetSky contains a "back door" that lets the worm be automatically transformed to a newer variant by the authors, so people who have not removed previous NetSky infections are likely to be "upgraded" to the latest version of NetSky so that their machines can join the attack.

Besides launching DDoS attacks, recent NetSky variants have also stopped trying to remove the Bagle worm from infected machines, which is a behavior exhibited by the previous 16 variants of the worm. This may indicate that a different group of programmers is writing the worm.

Messages hidden inside NetSky.Q claim that the authors do not have any "criminals inspirations," because they do not use the worm to relay spam. They also deny that they are "children" using virus toolkits and say they want to "prevent hacking, sharing of illegal stuff and similar illegal content."

But Trend Micro's Righetti dismissed this moral high ground, saying the NetSky authors are doing more damage than the sites they are attacking may be doing. "Kazaa spreads music, and the other sites spread passwords and key generators for cracking programs. The worm's authors are trying to do something they may think is morally right, but this is actually 10 times worse," he said.

Kevin Hogan, senior manager for Symantec's Security Response division, said the messages contained in NetSky should be ignored, because he suspects that the source code for NetSky is circulating within the hacker underground, such that anyone could be creating the new variants. "It's hard to tell if it is the same group of people that wrote the previous variants. The guys that are writing these worms could be pulling the wool over all our eyes," he said.